How to Create Keystore From Certificate and Private Key

It is impossible to imagine a modern web application that is not using TLS connections. So, regardless of the programming language that we use, we need to know how to configure our production environment in order to have encrypted communication with clients. 

Let’s take a look into the Java world and see which options we have on Apache Tomcat, one of the most popular web application servers. But first, we need to understand what a keystore is. 

How to Create Keystore From Certificate and Private Key

A keystore is a storage facility where cryptographic keys and certificates are stored. According to Java Cryptography Architecture, there are several types of keystores: KS, JCEKS, PKCS12, PKCS11 and DKS. In this article,  we’ll talk about the JKS one, although, starting from JDK 9, the default keystore is PKCS12.

To narrow down the focus, we are interested in one specific case when we have a private key and a CA-signed certificate and we have to configure the JKS keystore on the Tomcat. This case is more complicated than creating a keystore with a self-signed certificate (which is good for testing purposes). But the thing is, if you’re preparing a production environment you’ll rather use a CA certificate from a known CA authority than a self-signed one. This will increase trust in your application. 

NOTE: a guide below will be relevant only if you have a standalone Tomcat, which is quite rare nowadays. Usually you’ll be faced with a set up when Tomcat is sitting behind the Apache web server or nginx. In that case, you’ll have to handle TLS instead of Tomcat. Hence, this guide will become irrelevant for you. So pay attention and check and backup your setup accurately before implementing any changes.

A step-by-step guide on how to create keystore from certificate and private key

Now, getting back to the topic. Say, we have a private key and a CA signed certificate of this private key. Our goal is to set up the JKS keystore on a standalone Apache Tomcat application server. This is how you can do it.

Step 1. Create a PKCS 12 file:

openssl pkcs12 -export -in [path to certificate] -inkey [path to private key] -certfile [path to certificate ] -out keystore.p12

Your private key may have a password. If so, this step will be a bit longer, because you will have to set a password for the PKS12 file as well:

monowheeller@localhost:~/applications/tmp/keystores/signedca$ openssl pkcs12 -export -in prodsecret.pem -inkey prodserver.pem -certfile prodsecret.pem -out prodkeystore.p12
Enter pass phrase for prodsecret.pem:
Enter Export Password:
Verifying - Enter Export Password:

Step 2. Create a JKS file using the keytool command (a command line tool which can generate a public key / private key pairs and store them in a Java keystore).

keytool -importkeystore -srckeystore prodkeystore.p12 -srcstoretype pkcs12 -destkeystore prod.jks -deststoretype JKS

Step 3 (not required). You will probably want to change the password of the private key file in the keystore.

keytool -keypasswd -alias [Alias name for private key] -keystore [path to key store]

Step 4 (not required). If you want to modify the alias name of the private key entry:

keytool -changealias -keystore [path to key store] -alias [current alias]

That’s it! Thanks for reading.

Want to stay updated on the latest tech news?

Sign up for our monthly blog newsletter in the form below.

Softteco Logo Footer